MIS risk and security project

Abdulellah1997
2-AUTHENTICATION.pptx

Security in Computing, Fifth Edition

Chapter 2: Toolbox: Authentication, Access Control, and Cryptography

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

1

1

Objectives for Chapter 2

Survey authentication mechanisms

List available access control implementation options

Explain the problems encryption is designed to solve

Understand the various categories of encryption tools as well as the strengths, weaknesses, and applications of each

Learn about certificates and certificate authorities

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

2

Authentication

The act of proving that a user is who she says she is

Determining who a person really is consists of two separate steps:

identification is stating an identity,

authentication is confirming the identity

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

3

Identification is asserting who a person is.

Authentication is proving that asserted identity

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

4

Identification vs. Authentication

Identities, (user-names) are public, and not protected.

bank account number is printed on checks

debit card account number is shown on your card

authentication should be reliable and is necessarily protected.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

5

Authentication Methods:

Something the user knows:

Passwords, PIN numbers, passphrases, a secret handshake

Something the user is:

biometrics, are based on a physical characteristic of the user

a fingerprint, the pattern of a person’s voice, or a fac

Something user has:

Identity badges, physical keys

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

6

Something You Know

Passwords

A user enters identification information

This identification can be available to the public or can be easy to guess because it does not provide the real protection.

The protection system then requests a password from the user.

If the password matches the one on file for the user, the user is authenticated and allowed access.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

7

password guessing steps

no password

the same as the user ID

is, or is derived from, the user’s name

on a common word list (for example, password, secret, private) plus common names and patterns (for example, qwerty, aaaaaa)

contained in a short college dictionary

contained in a complete English word list

contained in common non-English-language dictionaries

obtained by brute force, trying all possible combinations of alphabetic characters

obtained by brute force, trying all possible combinations from the full character set

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

8

Attacks on “something you know”:

Inferring likely passwords/answers

Guessing

Dictionary attacks

Defeating concealment

Exhaustive or brute-force attack

Rainbow tables

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

9

Distribution of Password Types

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

10

Alhough this data is from an old study, more recent studies have reaffirmed the results. The vast majority of passwords used on the Internet are extremely easy to crack.

10

Guessing Probable Passwords

Penetrators searching for passwords realize human characteristics and use them to their advantage

people prefer short passwords to long ones

Trying to guess 4 or 5 characters passwords takes only 475 seconds (about 8 minutes)

people tend to choose names or words they can remember

spelling checkers sometimes carry online dictionaries of the most common English words.

One contains a dictionary of 80,000 words. Trying all of these words as passwords takes only 80 seconds

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

11

Inferring Passwords Likely for a User

When selecting a password, users probably do not choose a word at random.

Passwords are usually something meaningful to People

personal passwords, such as the name of a spouse, child, other family member, or pet.

For any given person, the number of such possibilities is only a dozen or two.

Trying this many passwords by computer takes less than a second

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

12

Dictionary Attacks

Several network sites post dictionaries of phrases, science fiction character names, places, Chinese words, and other specialized lists.

These lists help site administrators identify users who have chosen weak passwords,

But the same dictionaries can also be used by attackers

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

13

Defeating Concealment

The operating system authenticates a user by asking for a name and password, which it then has to validate, most likely by comparing to a value stored in a table

Obtaining the table gives access to all accounts because it contains not just one but all user IDs and their corresponding passwords.

Solution: storing passwords not in their public form but in a concealed form

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

14

most systems lock out a user who fails a small number of successive login attempts.

This failure count prevents an attacker from attempting more than a few guesses.

however, that this lockout feature gives an attacker a way to prevent access by a legitimate user: simply enter enough incorrect passwords to cause the system to block the account.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

15

The interceptor can create a rainbow table, a list of the concealed forms of the common passwords,

Searching for matching entries in an intercepted password table, the intruder can learn that Jan’s password is 123456 and Mike’s is qwerty.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

16

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

17

Scrambled passwords have yet another vulnerability.

Pat and Roz both chose the same password.

Both copies will have the same concealed value, so someone who intercepts the table can learn that users Pat and Roz have the same password.

Knowing one means knowing both

some systems use an extra piece called the salt.

A salt is an extra data field different for each user, perhaps the date the account was created or a part of the user’s name.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

18

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

19

Password Storage

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

20

Plaintext

Concealed

Passwords should never be stored in plaintext but rather should always be concealed. We talk more about proper password storage later.

20

Exhaustive Attack/ brute force

the attacker tries all possible passwords

the number of possible passwords depends on the implementation of the particular computing system.

For example, if passwords are words consisting of the 26 characters A–Z and can be of any length from 1 to 8 characters, there are

261 passwords of 1 character, 262 passwords of 2 characters, and 268 passwords of 8 characters.

Therefore, the system as a whole has five million million possible passwords

With a rate of checking one password per millisecond, it would take on the order of 150 years to test all eight-letter passwords

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

21

intruder knows a password has to be remembered, people tend to pick simple passwords;

therefore, the intruder should try short combinations of characters before trying longer ones.

building a rainbow table of the common passwords, which reduces the attack effort to a simple table lookup

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

22

Good Passwords

2Brn2Bti? PayTaxesApril15th?

Long,

chosen from a large set of characters,

they do not appear in a dictionary.

Adding digits

uppercase and lowercase letters

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

23

Biometrics: Something You Are

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

24

Handprints and fingerprints are two among many examples of biometrics.

24

Biometrics are biological properties, based on some physical characteristic of the human body:

fingerprint

hand geometry (shape and size of fingers)

retina and iris (parts of the eye)

voice

handwriting, signature, hand motion

typing characteristics

blood vessels in the finger or hand

face

facial features, such as nose shape or eye spacing

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

25

Authentication with biometrics has advantages over passwords because a biometric cannot be lost, stolen, forgotten, or shared and is always available

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

26

Problems with Biometrics

Disturbing: cultures, offensive

Expensive

Single point of failure:

example- retail application uses a biometric recognition is linked to a payment scheme: “If a credit card fails to register, customer can always pull out a second card, but if a fingerprint is not recognized, a customer has only that one finger

sore ,irritation fingers

Sampling error:

Variation reduces accuracy : face is tilted, if you press one side of a finger more than another, or if your voice is affected by a sinus infection.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

27

Recent advances in smartphones have begun to make biometrics cheaper and easier to use. Biometrics are still inadequate for extremely sensitive applications, but their convenience makes them a great alternative to weak passwords.

27

False readings:

False positive: incorrectly confirming an identity.

False negative: incorrectly denying an identity

Biometric matches are not exact; the issue is whether the rate of false positives and false negatives is acceptable.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

28

How it works

Biometrics are reliable for authentication but are much less reliable for identification.

All biometric readers operate in two phases.

First, a user registers with the reader, during which time a characteristic of the user (for example, the geometry of the hand) is captured and reduced to a set of data points.

During registration, the user may be asked to present the hand several times so that the registration software can adjust for variations, such as how the hand is positioned.

Registration produces a pattern, called a template, of the data points particular to a specific user.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

29

In the second phase the user later seeks authentication from the system, during which time the system re-measures the hand and compares the new measurements with the stored template.

If the new measurement is close enough to the template, the system accepts the authentication; otherwise, the system rejects it.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

30

Biometric authentication means a subject matches a template closely enough.

“Close” is a system parameter that can be tuned.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

31

Authentication Based on Tokens: Something You Have

you have a physical object in your possession

key.

badges

identity cards

credit cards

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

32

Active and Passive Tokens

passive tokens do nothing

key is an example of a passive token in that the contents of the token never change

active token can have some interaction with its surroundings.

For example, some public transportation systems use cards with a magnetic strip.

When you insert the card into a reader, the machine reads the current balance, subtracts the price of the trip and rewrites a new balance for the next use.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

33

Static and Dynamic Tokens

static token remains fixed. Keys, identity cards

most useful for onsite authentication

Skimming is the use of a device to copy authentication data secretly and transmit it to an attacker

ATMs

dynamic token overcome copying of physical tokens or passwords

essentially a device that generates an unpredictable value

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

34

Tokens: Something You Have

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

35

An RSA SecurID with a code that changes every 60 seconds. Physical possession of the token should be necessary for successful authentication.

35

One character 0%

Two characters 2%

Three characters 14%

Four characters, all letters

14%

Five letters, all same case

22%

Six letters, lowercase

19%

Words in dictionaries or lists of names

15%

Other good passwords

14%

One character

0%

Two characters

2%

Three characters

14%

Four characters,

all letters

14%

Five letters,

all same case

22%

Six letters,

lowercase

19%

Words in

dictionaries or

lists of names

15%

Other good

passwords

14%

Time-Based Token Authentication

PASSCODE PIN TOKENCODE=

Login: mcollings

2468159759Passcode:

+

Clock synchronized to UCT

Unique seed

Token code: Changes every

60 seconds

Time-Based Token Authentication

PASSCODEPINTOKENCODE

=

Login:mcollings

2468159759Passcode:

+

Clock

synchronized to

UCT

Unique seed

Token code:

Changes every

60 seconds